During the past weeks, we’ve been seeing vulnerabilities found in Microsoft Office being exploited by malwares in order to compromise a system. However, most of these malware exploits vulnerabilities found were in Microsoft Word, Microsoft Excel, and Microsoft PowerPoint.
Right now, we have received a sample said to be exploiting a currently unknown vulnerability in Microsoft Access. The said vulnerability being exploited is under thorough verification if it is an old vulnerability which is probably MS04-014, Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001), or possibly a new vulnerability altogether.
Trend Micro detects this malicious MS Access file as TROJ_ACCDROP.A and the dropped file is detected as TROJ_AGENT.FNM.
Today is Microsoft patch day, and some of our readers may know about the trend of MS Office 0days showing up after every MS release…
Also, it may be the best time we update our MS software products which includes MS Office. This will help in protecting our systems from malwares exploiting old vulnerabilities, as malware authors are taking advantage of vulnerabilities on our systems as possible attack vectors. Let’s patch our machines and be cautious of unsolicited email messages containing MS Office documents or MS Office files which may have been altered and crafted to successfully exploit and compromise your system.
Patching up avoids this kind of exploit if the mentioned vulnerability in Access is found out to be an old one. However, if this is indeed a new vulnerability, then it is advised that users be cautious from opening or executing unsolicited MS Office documents especially MS Access. Always update your pattern files to be protected against different malwares (like this one) from compromising your machine.
Update (Ivan Macalintal, Wed, 11 Oct 2006 03:32:39 AM)
The MDB file reported above may have been used for an attempted targeted on a high-profiled customer (who we’re not going to mention here to secure confidentiality).
Nevertheless, here are some more information regarding this threat:
More info below:
Filesize: 161,796 bytes
TROJ_ACCDROP.A just drops and executes TROJ_AGENT.FNM. TROJ_AGENT.FNM creates the following files and registry entry:
C:\WINDOWS\system32\html.exe
C:\WINDOWS\system32\mslogsvr.ini
C:\WINDOW\Ssystem32\software.inf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Sell “C:\WINDOWS\system32\html.exe”
TROJ_AGENT.FNM also connects to a site, most probably acting as a trojan proxy.
Microsoft has already been contacted regarding this issue but so far, there has been no reply yet, so do hold for updates.
Update (Jessie Paz, Wed, 11 Oct 2006 02:13:30 PM)
The sample does not look similar with other MDB files that has the MS04-014 exploit. However, when the sample was opened in an unpatched machine, MSAccess crashed… but when the MS04-014 patch was installed, the crash did not happen…
This only means that if you already have the MS04-014 security patch, you will be well protected from this threat.